Cryptojacking Explained

May 6, 2021

What is Cryptojacking?

Cryptojacking is the unauthorized use of a person’s or organization’s computing resources to mine cryptocurrency.

Cryptojacking programs may be malware that is installed on a victim’s computer via phishing, infected websites, or other methods common to malware attacks, or they may be small pieces of code inserted into digital ads or web pages that only operate while the victim is visiting a particular website.

What do cryptojackers gain?

Cryptocurrency mining requires a considerable amount of computational power, as well as the electricity to run all that power. While there are many legitimate cryptocurrency miners using their own equipment, they do so at a non-trivial cost. Cybercriminals conduct malicious cryptomining surreptitiously on other people’s systems so they can reap the rewards while incurring none of the expenses associated with the mining process.

How Does Cryptojacking Work?

In a traditional non-cash financial transaction, a merchant sends a transaction to a merchant bank, which sends it to a payment processor, which sends it to an issuing bank. Along the way, the various parties check the transaction against their records to be sure it meets their criteria – is there enough money in the account, is the transaction within the cardholder’s credit limit, is there a transaction fee, etc.—and then the transaction is approved or denied.

But blockchains do not involve any centralized ledgers – they are distributed ledgers that exist on peer-to-peer networks, so there are no centralized authorities to approve or deny a transaction. Instead, every transaction is encrypted and added to a list of transactions waiting to be attached to a blockchain. Each of these sets of list is a “block” that has yet to be “chained” to existing blocks. Adding blocks to the blockchain is called “mining.”

New blocks have to be verified, and this is where cryptomining comes in: in order to prevent people from gaming the system or hackers from conducting denial-of-service attacks, there needs to a hurdle that makes it a little challenging to add a block to the blockchain. This hurdle takes the form of arbitrary mathematical puzzles that must be solved before a block can be validated and added to the blockchain. The first cryptocurrency miner to solve one of these puzzles is rewarded with cryptocurrency.

Some types of cryptocurrency are easier to mine than others, and these are the favorites of hackers. Monero, for instance, can be mined on any desktop, laptop, or server, while mining Bitcoin requires expensive specialized hardware. Mining operations can also be conducted on a mobile device, IoT device, and router.

Cryptominers may combine their cryptojacking malware with other types of malware, such as ransomware. When a user clicks on a bad link or opens an infected attachment, two programs are downloaded: a cryptojacking program and a ransomware program. The attacker evaluates the targeted system based on its software configuration, hardware configuration, and anti-malware defenses, and then decides whether a cryptojacking attack or a ransomware attack would be the most lucrative.

Or the cryptojackers may not install a program at all. A small piece of cryptomining code may be embedded in a website, WordPress plugin, or advertisement, and then run automatically in the browsers of visitors.

Another type of cryptojacking attack takes place in the cloud, where attackers first steal credentials and then install their scripts into the cloud environment.

The Consequences of Cryptojacking

The consequences of a cryptojacking attack for a person using their home laptop for personal use is a slow computer and a higher electricity bill, but cryptomining at scale that targets an enterprise can create significant harm. Slow performance hurts business productivity, system crashes and downtime cost sales and reputation, and expensive high-performance servers become expensive poorly-performing servers. And of course, operational costs spike as corporate resources are directed away from their intended uses to serve the needs of cryptominers.

In addition, the presence of crypto mining software on the network is an indicator that a more serious cybersecurity problem is in play: if a hacker can get the cryptojacking software past the enterprise’s defenses, it can get other malicious code into the environment as well.

Cryptojacking Examples

Coinhive

Coinhive is no longer in operation, but it’s worth examining because it played an integral role in the rise of the cryptojacking threat. Coinhive was served from a web browser and loaded a Javascript file onto users’ pages. Coinhive was the go-to cryptojacking script until its operators shut it down due to a drop in hash rate that occurred after a Monero fork, in conjunction with a drop in the cryptocurrency market that made cryptojacking less lucrative.

WannaMine v4.0

WannaMine v4.0 and its predecessors use the EternalBlue exploit to compromise hosts. It stores the EternalBlue exploit binaries in a C:\Windows directory named “Network Distribution.” This variant of WannaMine randomly generates a .dll and service name based on a list of hard-coded strings. This is how it maintains persistence on the host.

BadShell

BadShell is fileless malware that does not involve a download. It uses native Windows processes, such as PowerShell, Task Scheduler, and Registry, which makes it particularly difficult to detect.

Graboid

Graboid is a cryptojacking worm that is spread using Docker Engine (Community Edition) containers. Graboid goes unnoticed by traditional endpoint protection solutions, which do not inspect activity inside containers.

PowerGhost

PowerGhost is another fileless malware script that uses native Windows tools to infect workstations and servers in corporate networks. It gains a foothold inside the environment through remote access tools or exploits.

Facexworm

FaceXWorm uses social engineering to lure Facebook Messenger users to click on a fake YouTube link. The fake site prompts the user to download a Chrome extension to view the content, but what the extension actually does is hijack its victims’ Facebook accounts to spread the link across their friend networks. FaceXWorm does more than just hijack users’ systems to mine cryptocurrency: it also intercepts credentials when users try to log into specific sites, such as Google and MyMonero, redirects users who try to go to legitimate cryptocurrency exchange platforms to false platforms that request a small amount of cryptocurrency as part of the identity verification process, and redirects users to other malicious sites.

Black-T

Black-T targets AWS customers by using exposed Docker daemon APIs. The malware is also capable of using scanning tools to identify other exposed Docker daemon APIs in order to expand its cryptojacking operations further.

Protecting Against Cryptojacking

Challenges 

Security teams that have limited resources and visibility have a difficult time addressing cryptojacking because they must:

  • Identify an event and understand the attack vector. The increased use of legitimate tools and fileless attacks makes this difficult.
  • Stop an active breach and remediate systems quickly. When an incident occurs, security teams must stop the incident, then remediate the systems as quickly as possible. This often involves manual investigation and reimaging of machines, which are resource-draining tasks.
  • Learn from an attack and close security gaps. After the incident, security teams must understand what happened, why it happened, and ensure that it doesn’t happen again.

Tips 

Cryptojacking is a menace to an organization’s productivity and security. To address this risk, organizations need to:

  • Practice strong security hygiene. IT hygiene is foundational to security. Regularly patching vulnerable applications and operating systems, and protecting privileged user accounts, are essential practices for optimal security posture.
  • Deploy a true next-generation endpoint protection platform (EPP). Organizations must be prepared to prevent and detect all threats, including known and unknown malware, as well as identifying in-memory attacks. This requires a solution that includes next-gen AV protection, as well as endpoint detection and response (EDR), to prevent attacks and gain full visibility throughout the environment.

According to Gartner, effectively defending against threats to your endpoints means deploying a solution that has NGAV and EDR capabilities. The CrowdStrike Falcon platform is a true next-gen EPP solution that is designed to detect stealthy behavioral indicators of attack (IOAs), regardless of whether the malware writes itself to disk or executes in-memory only.